spree_auth_devise 1.3.1
Authentication Bypass by CSRF Weakness
critical severity GHSA-gpqc-4pp7-5954< 4.0.1
Impact
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both:
- Executed whether as:
- A before_action callback (the default)
- A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).
- Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).
That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.
Thanks @waiting-for-dev for reporting and providing a patch 👏
Patches
Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 Spree 4.1 users should update to spree_auth_devise 4.1.1 Older Spree version users should update to spree_auth_devise 4.0.1
Workarounds
If possible, change your strategy to :exception:
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
end
Add the following toconfig/application.rb to at least run the :exception strategy on the affected controller:
config.after_initialize do
Spree::UsersController.protect_from_forgery with: :exception
end
References
https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
Authentication Bypass by CSRF Weakness
high severity CVE-2021-41275~> 4.0.1, ~> 4.1.1, ~> 4.2.1, >= 4.4.1
Impact
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of spree_auth_devise
are affected if protect_from_forgery method is both:
- Executed whether as:
- A
before_actioncallback (the default) - A
prepend_before_action(optionprepend: truegiven) before the:load_objecthook inSpree::UserController(most likely order to find).
- A
- Configured to use
:null_session` or:reset_sessionstrategies (``:null_sessionis the default in case the no strategy is given, butrails --newgenerated skeleton use ``:exception`).
That means that applications that haven't been configured differently from what is generated with Rails aren't affected.
Patches
- Spree 4.3 users should update to
spree_auth_devise4.4.1 - Spree 4.2 users should update to
spree_auth_devise4.2.1 - Spree 4.1 users should update to
spree_auth_devise4.1.1 - Older Spree version users should update to
spree_auth_devise4.0.1
Workarounds
If possible, change your strategy to :exception:
class ApplicationController
< ActionController::Base
protect_from_forgery with: :exception
end
Add the following to config/application.rb to at least run the :exception
strategy on the affected controller:
config.after_initialize do
Spree::UsersController.protect_from_forgery
with: :exception
end
spree_auth_devise allows remote authenticated users to assign themselves arbitrary roles
medium severity CVE-2013-2506>= 1.0.0, < 3.0.5
app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Author did not declare license for this gem in the gemspec.
This gem version has a BSD-3-Clause license in the source code, however it was not declared in the gemspec file.
This gem version is available.
This gem version has not been yanked and is still available for usage.